I've been quite disappointed by the preamble of their paper, which calls IE8's XSS filter a new type of defense and a somewhat novel approach (before bashing it), when we all know that NoScript came first. Sirdarckcat personally apologized, blaming Lindsay for this and other "pro-big-players" bias, such as the decision of omitting, from the comparative table in their slides, Sirdarckcat's opinion about NoScript's being the safest among the in-browser filters and the hardest to bypass.

Notwithstanding, the technical core of this research is very worth reading, if you're interested in XSS attack and defense techniques.

After the Black Hat debacle got echoes in the press, David Ross, the main XSS Filter engineer at Microsoft, published a Guidance on Internet Explorer XSS Filter document on the Microsoft Security Response Center website, announcing a not better specified "patch" coming in June (mmm, two whole months? need some help?) and making two interesting statements:

In the case of the Internet Explorer XSS Filter, researchers found scenarios that are generally applicable across XSS filtering technologies in all currently shipping browsers with this technology built-in.

Overall we maintain that itâ€™s important to use a browser with an XSS Filter

... can really mean one thing only: Microsoft maintains that it's important to use Firefox with NoScript :)

This entry was posted on Wednesday, April 21st, 2010 at 12:03 pm and is filed under IE, XSS, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

A bit of spurious reasoning, not that I don't use noscript. I think they were trying to spruik IE8 still. But maybe you could help them along and port noscript to IE, and then they would at least have something to crow about, once they offer you an obscene amount of money and put it into the code natively.
I am surprised you didn't mention the recent network solutions attack and its injection of malicious javascript, if something like noscript was globally used this breach may have been found sooner with less collateral damage, if I saw javascript on my page I would know as there is very little and it isn't whitelisted.

The wording in the whitepaper preamble was completely mine, so yes, you can blame me. When I said IE8's filters were "somewhat novel", I was referring to to the fact that they were not the first to develop thorough client-side XSS filters, clearly NoScript had been doing this for quite some time, however they were the first *browser* to have such filters built in by default.

It was not my intent to slight NoScript in any way. In hindsight, I can clearly see your point of view and I apologize for not properly acknowledging NoScript's pioneering role in terms of client-side filters.

That being said, I make no apologies for the content of the comparison slide in our presentation. Although Eduardo and I had a lot of back-and-forth discussion regarding how to compare things on that slide, the final contents accurately reflect the average of our opinions (which were never that far apart to begin with). And I take offense to any accusations of bias towards "big players"; if anything, the opposite is true.